Feature #7012
closedrules: add dns.response sticky buffer
Description
Add DNS sticky buffer dns.response that will allow a signature to trigger on any name and rdata field over all sections in a DNS response message.
This allows simplified policy configuration and matching on all relevant fields in a dns response (instead of multiple signatures, each looking at a specific field).
This also addresses a gap where all sections / records are not currently exposed for matching.
- the "name" field in each record
- the "rdata" field in each record. For rdata, there is some logic limiting the "type" that will be checked to those that could contain domain names such as MX, NS, SOA, CNAME, PTR, ...
I plan to open a PR soon if there is interest in this feature.
JI Updated by Jason Ish almost 2 years ago
Last time I asked a similar question, the answer was that specificity was preferred, and this lead to dns.answer.name and dns.query.name and I expect this to get more complete in time.
So I'd be keen to hear interest in this field.
Just a note: dns.response is a little open in the naming department.
NS Updated by Nathan Scrivens almost 2 years ago ยท Edited
- Assignee changed from OISF Dev to Nathan Scrivens
Thanks for the feedback Jason.
Here is a little extra context. For our organization we are running in IPS mode, and are interested in triggering on any potential record in a DNS response message that could match our signatures / datasets.Needing to reference every individual field for each section will add complexity and replication to our signature set.
For example, we want to match on:
- question section: name field
- answer, authority, additional sections: name and rdata fields
This would be seven unique fields, which would translate to seven signatures just for DNS response traffic (even more if we want to have different signature / action combinations). It would be much simpler to have a generic way to fully match a DNS response.
I can see value in both implementations. Exposing unique fields for those who want to write a specific signature, but also having the option to match against all fields easily for those who want to match on everything possible in a response with a single signature.
The name isn't important, we could change that if you feel dns.response is too open. It seemed to me like a nice description, as the result is matching on the entire DNS response.
NS Updated by Nathan Scrivens almost 2 years ago
I have made progress on this, but it also has dependencies on: https://redmine.openinfosecfoundation.org/issues/7011
Once that feature is merged I'll be able to open a PR.
Do you have any other suggestions for a name if "dns.response" is too open?
JI Updated by Jason Ish almost 2 years ago
- Related to Feature #2448: dns: additional buffers for DNS Responses added
NS Updated by Nathan Scrivens over 1 year ago
- Status changed from New to In Review
JI Updated by Jason Ish about 1 year ago
Nathan Scrivens wrote in #note-3:
I have made progress on this, but it also has dependencies on: https://redmine.openinfosecfoundation.org/issues/7011
Once that feature is merged I'll be able to open a PR.Do you have any other suggestions for a name if "dns.response" is too open?
Already mentioned in the PR, but worth discussing here.
I think this works: dns.response.rrname
response is generic enough to hit on any response field. We already have dns.answers, and will add keywords like dns.additionals for more specificity.
NS Updated by Nathan Scrivens about 1 year ago
- Status changed from In Review to Resolved
Merged as part of: https://github.com/OISF/suricata/pull/12717
JI Updated by Jason Ish about 1 year ago
- Status changed from Resolved to Closed
- Target version changed from TBD to 8.0.0-beta1
VJ Updated by Victor Julien about 1 year ago
- Has duplicate Feature #2198: Extend the DNS parser to accept dns_response keyword in signatures added
VJ Updated by Victor Julien about 1 year ago
- Subject changed from Add dns.response sticky buffer to rules: add dns.response sticky buffer